[原文]The "at" commands on Mac OS X 10.3.7 and earlier do not properly drop privileges, which allows local users to (1) delete arbitrary files via atrm, (2) execute arbitrary programs via the -f argument to batch, or (3) read arbitrary files via the -f argument to batch, which generates a job file that is readable by the local user.

-
漏洞信息

-
漏洞描述

Mac OS X contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the batch command fail to drop root privileges, and run user-specified commands as root. By passing the -f argument to the command, a malicious user could execute and/or read arbitrary files resulting in a loss of integrity.

-
时间线

公开日期:
2005-01-25

发现日期:
2004-12-20

利用日期:2005-01-25

解决日期:Unknow

-
解决方案

Upgrade to version 10.3.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

-
不受影响的程序版本

Apple Mac OS X Server 10.3.8
Apple Mac OS X 10.3.8

-
漏洞讨论

Multiple privilege escalation issues affect the 'at' family of utilities on Apple Mac OS X. These issues are due to a failure of the application to properly implement access controls on job schedule files.

An attacker may leverage these issues to read and delete arbitrary files and execute applications on an affected computer with superuser privileges. Information revealed in this way may lead to further attacks.

-
漏洞利用

No exploit is required to leverage these issues. The following proof of concept has been provided to view the master.passwd file: